Gardyn Smart Garden CVE-2026-28766 Exposes All User Account Data Without Authentication

CVE-2026-28766 is a critical information disclosure vulnerability (CVSS 9.3) affecting Gardyn smart garden devices and their associated cloud platform. A specific API endpoint exposes all user account information for registered Gardyn users without requiring any authentication. An unauthenticated attacker can access this endpoint to enumerate and retrieve personal data including names, email addresses, home addresses, and potentially payment information for all registered users. This vulnerability represents a significant privacy risk for Gardyn's customer base and highlights the ongoing security challenges in the IoT consumer device market. The flaw was published to the NVD on April 4, 2026. IoT devices and their cloud backends frequently suffer from inadequate authentication controls, making them attractive targets for data harvesting operations. Gardyn users should monitor their accounts for signs of unauthorized access, consider changing passwords and enabling multi-factor authentication where available, and be alert to phishing attempts using their personal information. Gardyn should immediately patch the vulnerable endpoint, implement proper authentication controls, and notify affected users of the potential data exposure.